A deluge of emailed bomb threats has caused hospitals, schools and businesses to close across the US and Canada.
On Wednesday (12 December), a flood of emailed bomb threats was reported at a range of locations in the US and Canada.
People received bomb threats via email, warning the recipient that explosives had been planted in their premises and they would be detonated unless a $20,000 bitcoin ransom was paid. According to a source who spoke to Ars Technica, more than 100,000 of such emails had been received by 13 December.
Law enforcement agencies throughout the US have described the threats as hoaxes, with the New York Police Department tweeting that the threats are not likely to be credible. NBC News said that the number of threats reported had reached dozens.
Multiple bomb threat calls
Students at the Bronx High School of Science in New York City were evacuated after a bomb threat was phoned in. A spokesperson for the police in Oklahoma city said between 10 and 12 emailed bomb threats were sent to specific addresses in and around the city centre. Threats were sent in Ottawa, Winnipeg, British Columbia and other Canadian locations.
Meanwhile, in San Francisco, police responded to a number of bomb threat reports, including one at a Jewish community centre, and numerous branches of the San Francisco Fire Credit Union were evacuated. According to security expert Brian Krebs, a number of banks were also disrupted in the wake of the messages being sent. The most high-profile evacuation reported was the Los Angeles headquarters of Infinity Ward, the game company behind the popular Call of Duty series.
Escalation of a previous scam
Experts believe that the scam appears to be a major escalation of a bitcoin blackmail scam that surfaced during the summer. In this particular wave, victims were told that a hacker had accessed their webcam while watching pornography and threatened to release the resulting images to the public unless a ransom was paid. Of course, there were no images, but perpetrators still managed to profit.
People have also noticed that a large-scale threat coupled with a big ransom demand invites more scrutiny from law enforcement, which is not ideal for evading detection.
Mukul Kumar, CISO and vice-president of cyber practice at Cavirin, told Threatpost that regular employee training is crucial in these situations. “Enterprises conduct regular fire drills. Potential disruption from what is obviously a false threat is just as real.
“And, one of the risks here is if there had been links in the email that an employee could inadvertently click out of panic or confusion. Email filters would help here, not to mention blocking the source domain of the sender.”